我無法使用 dante 和socksmethod: username
方法為socks5 設定使用者名稱身份驗證。
ubuntu@ip-10-120-108-135:~$ uname -a
Linux ip-10-120-108-135 5.19.0-1025-aws #26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
/etc/danted.conf
# errorlog: syslog
logoutput: syslog
user.privileged: root
user.unprivileged: nobody
debug: 1
# The listening network interface or address.
internal: 0.0.0.0 port=1080
# The proxying network interface or address.
external: ens5
# socks-rules determine what is proxied through the external interface.
# socksmethod: username
socksmethod: username
# client-rules determine who can connect to the internal interface.
clientmethod: none
client pass {
from: 111.222.333.444/32 to: 0.0.0.0/0
log: error connect disconnect
}
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
socks pass {
from: 111.222.333.444/32 to: 0.0.0.0/0
command: bind connect udpassociate
protocol: tcp udp
log: error connect disconnect iooperation
socksmethod: username
user: dante
}
socks block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
創建了用戶:
sudo useradd -r -s /bin/false dante
sudo usermod --password SOMEPazz dante
嘗試連接:
✗ curl -v -x socks5://dante:[email protected]:1080 ipinfo.io/ip
* Trying 55.55.55.555:1080...
* User was rejected by the SOCKS5 server (1 1).
* Closing connection 0
curl: (97) User was rejected by the SOCKS5 server (1 1).
在日誌中我看到這個:
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): no match for authentication: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 1, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: block(1): tcp/accept ]: 111.222.333.444.55484 10.120.108.135.1080: error after reading 29 bytes in 0 seconds: system password authentication failed for user "dante"
完整日誌:
ubuntu@ip-10-120-108-135:~$ tail -f /var/log/syslog | grep dante
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: postconfigloadinit(): I am a request-child
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: request_postconfigload()
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: addchild(): I am a new request-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: sockd_print_child_ready_message(): I'm request-child and ready to serve with 524278 free fds and 1 free slot
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: postconfigloadinit(): I am a request-child
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: request_postconfigload()
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: addchild(): I am a new request-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: sockd_print_child_ready_message(): I'm request-child and ready to serve with 524278 free fds and 1 free slot
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: main(): selectn() returned 1 (no system error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: accepted tcp client 111.222.333.444.55484 on address 0.0.0.0.1080, fd 8
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sending client 111.222.333.444.55484 to negotiate-child (pid 35039 with 96 slots free)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: send_client(): buflen = 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: childcheck(): current # of free negotiate-child slots is 95, configured minimum is 96: need to add more negotiate-children
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): type is negotiate-child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 55: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 56: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 52: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 54: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): highest fd in use at the moment: 56
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): created new negotiate-child with pid 35059, data-pipe 52 and ack-pipe 55. Minimum rcvbuf: 24536, set: 49072 and 49072. Minimum sndbuf: 2355456, set: 4710912 and 4710912
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: childcheck(): added child, pid 35059
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): 111.222.333.444.55484 -> 10.120.108.135.1080, clientauth N/A, srcauth notset, command accept, fd 10 from 111.222.333.444.55484, accepted on 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): trying to match against client-rule-rule #1, verdict = pass
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: addrmatch(): matching ruleaddress IPv4 address 111.222.333.444/32 against IPv4 address 111.222.333.444.55484 for protocol tcp, without alias
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: addrmatch(): matching ruleaddress IPv4 address 0.0.0.0/0 against IPv4 address 10.120.108.135.1080 for protocol tcp, without alias
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method notset is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): changing authmethod from -1 to 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): method: none, 111.222.333.444.55484 -> 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): authentication matched
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): rule matched: 1 (client-rule), verdict pass
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through options, looking for tcp socket options for fd 10 (in: 10) on the internal side
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through global array with 0 options, looking for globals matching 6 (post-establishment or any time)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through local array with 0 options, looking for locals matching 6
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: shmem_userule(): cinfo: 111.222.333.444.55484
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: shmem_userule(): shmids in client-rule #1: bw_shmid 0 ((nil)), mstats_shmid 0 ((nil)), ss_shmid 0 ((nil))
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: pass(1): tcp/accept [: 111.222.333.444.55484 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: socks_allocbuffer(): fd 10, stype = 1
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recvmsgn(): recvmsg() on fd 7 failed, received -1 bytes: Resource temporarily unavailable
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_negotiate(): recvmsg() from mother returned -1 after having received 1 new clients (0 failed/blocked clients). errno = 11 (Resource temporarily unavailable)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): fd 10, client 111.222.333.444.55484, state->complete: 0, read so far: 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): initiating negotiation with client at 111.222.333.444.55484 which connected to us on 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): client 111.222.333.444.55484 offered 3 authentication methods: 0x0 (none), 0x1 (gssapi), 0x2 (username)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): socksmethod to use not set, selecting amongst the following 1 method: username
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): sending authentication reply: VER: 5 METHOD: 2 (username)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 2, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: calling select(). Free negc: 191, reqc: 16, ioc: 32
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: postconfigloadinit(): I am a negotiate-child
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: negotiate_postconfigload()
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: addchild(): I am a new negotiate-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: sockd_print_child_ready_message(): I'm negotiate-child and ready to serve with 524278 free fds and 96 free slots
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): fd 10, client 111.222.333.444.55484, state->complete: 0, read so far: 5
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (1) "username"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method pam.username is set in the list (1) "username"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: passworddbisunique(): returning 2
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): method: username, 111.222.333.444.55484 -> 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: passwordcheck(): name = dante, password = <cleartextpw>
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_priv(): switching privilege 1 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_priv(): switching privilege 1 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): no match for authentication: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 1, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: block(1): tcp/accept ]: 111.222.333.444.55484 10.120.108.135.1080: error after reading 29 bytes in 0 seconds: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: delete_negotiate(): forwardedtomother: 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: socks_freebuffer(): fd 10
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: main(): selectn() returned 1 (no system error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: handlechildcommand(): command 1 from negotiate-child 35039
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: handlechildcommand(): negotiate-child 35039 has freed a TCP slot, now has 96 slots free
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: calling select(). Free negc: 192, reqc: 16, ioc: 32
答案1
Dante 阻止連線的原因是您設定了錯誤的密碼。 usermod(8) 的「--password」選項期望密碼參數是加密的密碼。去引用:
“ -p, --password PASSWORD 為用戶定義一個新密碼。PASSWORD 預計會被加密,如 crypt (3) 返回的那樣。”
但curl 和Dante 都希望您提供的密碼是明文密碼。您需要透過一些程式設定使用者的密碼,該程式期望密碼輸入為明文,對其進行加密,並將加密的密碼寫入密碼文件,例如 passwd(1)。